Training Roadmap — Blue Cape Security
Training Roadmap

Your Path to DFIR Mastery

Navigate from security fundamentals to enterprise-scale incident response. Each track builds on the last — learn the concepts, practice with real scenarios, and validate your skills.

Learn
Structured lessons with hands-on online labs
Practice
Apply skills in realistic investigation scenarios
Validate
Prove your skills with a practical certification exam

Training Tracks

— structured learning paths from fundamentals to advanced
Foundation

SOC ANALYST CORE

Enterprise Security

Build your security foundation — understand enterprise environments, attacker tradecraft, and core defensive concepts that every security professional needs.

Learn
Practice
Validate
Enterprise Security Fundamentals
Syllabus
Cyber Threat Landscape & Kill Chains
Enterprise Domain Environments & Active Directory
Logging, Telemetry & Visibility
Detection Engineering Fundamentals
Real-World Attack Techniques & Living Off the Land
Incident Response Process Overview
Includes hands-on online labs
Intermediate

ANALYST I

Practical Windows Forensics

Develop hands-on forensic investigation skills — disk & memory analysis, timeline reconstruction, and evidence handling in realistic enterprise scenarios.

Learn
Practice
Validate
Practical Windows Forensics
Syllabus
Windows Endpoint Compromise Analysis
Disk & Memory Forensics
Event Log Analysis & Enhancement
Network Telemetry & PCAP Analysis
Malware Triage & Artifact Recovery
Timeline Reconstruction Techniques
Includes hands-on online labs
FOR200 Windows Forensic Investigation Scenarios 4 scenarios
FOR001 Intermediate
Disgruntled Manager’s Exodus
Insider threat, data leakage
Investigate an insider threat — a departing manager suspected of exfiltrating sensitive company data before their last day.
FOR002 Intermediate
Suspicious Network Connection
Network activity, host forensics
Trace a suspicious outbound connection from a workstation to an external C2 server, analyzing network artifacts and endpoint telemetry.
FOR003 Advanced
Unauthorized Access
Credential misuse, lateral movement
Uncover how a threat actor gained unauthorized access to a restricted file share through credential misuse and lateral movement techniques.
FOR004 Beginner
Suspicious Logons
Insider threat, unauthorized access
Investigate anomalous authentication events on the CTO’s workstation — determine if credentials were compromised and what was accessed.
PWFA: Practical Windows Forensic Analyst 7-day hands-on exam

Analyze a compromised system, reconstruct the attack timeline, and deliver a professional DFIR report. Score 85%+ for distinction.

Learn about the exam
Advanced Exam Coming Soon

ANALYST II

Advanced DFIR

Master enterprise-scale incident response — multi-host investigations, advanced memory analysis, and full IR reporting for real-world APT and ransomware cases.

Learn
Practice
Validate (Soon)
Enterprise DFIR
Syllabus
DFIR Methodology & Processes
Anatomy of Ransomware Attacks
Access Broker Model & Threat Landscape
SIEM Triage & Threat Hunting
Advanced Log & Memory Analysis
Super Timeline Creation & IR Reporting
Includes hands-on online labs
IR300 Incident Response Investigation Scenarios 3 scenarios
IR001 Intermediate
Operation Quiet Tunnel
Reverse tunneling, exfiltration, ransomware
Investigate reverse tunneling techniques used to establish covert channels, exfiltrate data, and ultimately deploy ransomware across the enterprise.
IR002 Advanced
Operation Red Echo
Stealthy intrusion, credential theft, exfiltration
Uncover a stealthy intrusion operation — trace credential theft techniques, identify data exfiltration paths, and reconstruct the full attack timeline.
IR003 Advanced
Stealthy Network Breach
VPN compromise, privilege escalation, ransomware
Respond to a network breach originating from a compromised VPN — follow the attacker’s privilege escalation path through to ransomware deployment.
DFIR EXAM: Enterprise DFIR Analyst Coming Soon

The Analyst II certification exam is currently in development. Stay tuned for the ultimate enterprise DFIR validation.

Ongoing Practice

— continuous skill-building, independent of tracks
Ongoing Practice Subscription

Analyst Defense Labs

Monthly investigation scenarios for working analysts

Sharpen your skills with fresh, real-world investigation scenarios released monthly. Each lab drops you into a realistic case with logs, artifacts, and a guided in-browser environment. No track required — built from feedback by SOC analysts to senior DFIR engineers.

New scenarios released monthly
Guided in-browser lab environment
Real-world enterprise cases
Built from real defender feedback
No prerequisites required
Explore ADL No track required

Looking for the complete path? The HERO Bundle includes all tracks, scenarios, and the PWFA certification exam.

Questions about which path is right for you? Get in touch — we’re happy to help.

Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information
Professional Experience
I'm interested in

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.